The US has been “leaking” secret information to the pro-Russian country for years

For years, United States agencies have been "leaking" secret information on the servers of pro-Russian Mali due to elementary vulnerabilities in cyber security. This is reported by The Financial Times. Millions of US military emails have been misdirected to Mali through a "typo leak" that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers.

Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali. This is the result of an error when entering the .MIL domain in the US Department of Defense email addresses. The problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who had a contract to manage Mali's country domain.

Since January, Zuurbier has been collecting misdirected emails in an effort to persuade the US government to take the issue seriously. It has racked up more than 117,000 misdirected messages, with almost 1,000 arriving on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: "This risk is real and could be exploited by adversaries of the United States."

Control of the .ML domain will revert on Monday from Zuurbier to Mali's government, which is closely allied with Russia. When Zuurbier's 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. Zuurbier, managing director of Amsterdam-based Mali Dili, has approached US officials repeatedly, including through a defence attache in Mali, a senior adviser to the US national cyber security service, and even White House officials.

Secret materials

Much of the email flow is spam and none is marked as classified.

But some messages contain highly sensitive data on serving US military personnel, contractors and their families. Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records. One misdirected email included the travel itinerary of General James McConville, the US army's chief of staff, and his delegation as they prepared for a trip to Indonesia earlier this year.

The email included a full list of room numbers, the itinerary for McConville and 20 others, as well as details of the collection of McConville's room key at the Grand Hyatt Jakarta. According to Lt. Cmdr Tim Gorman, a spokesman for the Pentagon, the Department of Defense is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously.

He said that emails sent directly from the .mil domain to Malian addresses are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients. However, the endless flow of data shows some systematic sources of leakage. Travel agents working for the military routinely misspell emails.

Staff sending emails between their own accounts are also a problem. One FBI agent with a naval role sought to forward six messages to their military email -- and accidentally dispatched them to Mali. One included an urgent Turkish diplomatic letter to the US state department about possible operations by the militant Kurdistan Workers' party (PKK) against Turkish interests in the US.

One FBI agent regularly mistyped their own email when forwarding notes, including an alert from the Turkish embassy in Washington on potential activities by a designated terrorist group. The same person also forwarded a series of briefings on domestic US terrorism marked "For Official Use Only" and a global counter-terrorism assessment headlined "Not Releasable to the Public or Foreign Governments". A "sensitive" briefing on efforts by Iran's Islamic Revolutionary Guards Corps to use Iranian students and the Telegram messaging app to conduct espionage in the US was also included.

Around a dozen people mistakenly requested recovery passwords for an intelligence community system to be sent to Mali. Others sent the passwords needed to access documents hosted on the US Department of Defence's secure access file exchange. Many emails are from private contractors working with the US military.

Twenty routine updates from defence contractor General Dynamics related to the production of ammunition to the army.

International problem

Similar incidents occur in other countries. The Dutch army uses the domain army.nl, a keystroke away from army.ml. So Zuurbje collected more than a dozen e-mails from the Dutch military, who discussed with Italian counterparts the issue of transporting ammunition in Italy.

Among other things, there is a discussion of future military procurement options and a complaint about the vulnerability of Dutch units to cyber attacks. The Ministry of Defense of the Netherlands did not respond to a request for comment. Eight emails from the Australian Department of Defence, intended for US recipients, went astray.

Those included a presentation about corrosion problems affecting Australian F-35s.

Australia's Ministry of Defense said it "does not comment on security matters".